SECURITY COMPLIANCE MADE EASY(ER):ENTERING THE SCAP RENAISSANCE

MOTIVATION

RHEL5 STIG (U.S. Military Baseline)● 587 compliance items● Many are manual

Avg Time to Configure & Verify Setting

# controls

Total Timeper RHEL instance

1 minute * 587 9.7 hours3 minutes * 587 29.4 hours5 minutes * 587 48.9 hours

… or a single LOC in kickstart

$ oscap xccdf eval \

--profile rht-ccp \

--remediate \

--report /root/scan-report.html \

/usr/share/xml/scap/content.xml

OUR (very ambitious) AGENDA

1. What’s the latest in the Security Automation space?a. Government & Commercial Initiativesb. Formal and Emerging SCAP Standards

2. What tools and content are available today?a. For enumerating (known) software vulnerabilitiesb. For assessing configuration

3. Use Case Story: Lockheed Martin and the Centralized Super Computing Facility

LIVE DEMOS

1. Install & Review SCAP profiles in RHEL 7

2. Performing a Compliance Scan

3. System Remediation

4. Creating Custom (derived) Configuration Baselines with SCAP Workbench

5. RHEL 7 “Easy Button” Installations

SPEAKERS

Shawn WellsDirector, Innovation ProgramsDeveloper, OpenSCAP ContentRed Hat

SPEAKERS

Jeff BlankTechnical Director,OS and Applications DivisionInformation Assurance DirectorateNational Security Agency

SPEAKERS

Sarah StormsJosh KoontzEngineering,Lockheed Martin

COMPLIANCE BIG PICTURE:PRODUCTS AND SYSTEMS

System Controls

Report / Results

Compliance Checklist

Product Mandates

Certificates

Product Evaluations

ACCREDITATION

SYSTEM VIEW PRODUCT VIEW

System Controls

Compliance Checklist

Report / Results

SYSTEM VIEW OF ACCREDITATION

System Controls

Report / Results

Compliance Checklist

NIST 800-53

FedRAMP

CNSSI 1253

PCI

SYSTEM VIEW OF ACCREDITATION

System Controls

Report / Results

Compliance Checklist

DISA STIG

NSA SNAC

CIS Benchmarks

SYSTEM VIEW OF ACCREDITATION

System Controls

Report / Results

Compliance Checklist

Tenable Nessus

SECSCAN

SPAWAR SCC

OpenSCAP

SYSTEM VIEW OF ACCREDITATION

Product Mandates

Product Evaluations

Certificates

PRODUCT VIEW OF ACCREDITATION

Product Mandates

Certificates

Product Evaluations

Common Criteria

FIPS 140-2

PRODUCT VIEW OF ACCREDITATION

…. wait… what’s COMMON CRITERIA?

- international framework for specifying and testing security functional and assurance requirements in IT products- through the use of Protection Profiles (PPs)

- vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.

Product Mandates

Certificates

Product Evaluations

Operating System Protection Profile

Server Virtualization Protection Profile

FIPS Validation

PRODUCT VIEW OF ACCREDITATION

Product Mandates

Certificates

Product Evaluations

NIAP Product Compliant List

FIPS Crypto Module Validation List

PRODUCT VIEW OF ACCREDITATION

Product Mandates

Certificates

Product Evaluations1-2 years+

Costly ($millions)

PRODUCT VIEW OF ACCREDITATION

System Controls

Report / Results

Compliance Checklist

Product Mandates

Certificates

Product Evaluations

ACCREDITATION

SYSTEM VIEW PRODUCT VIEW

OPEN SOURCE CONFRONTS THE C&A CHALLENGE:

PRODUCT CERTIFICATION

● Requirements specified in Protection Profiles■ see https://www.niap-ccevs.org ■ development on https://github.com/commoncriteria■ revamped OS Protection Profile due this July

● Dramatically reduced evaluation time and cost■ 90 days possible, 180 max ■ compliance checklist produced during evaluation (SCAP)■ list of system controls provided for evaluated products

COMMON CRITERIA - REVAMPED

COMMON CRITERIA - REVAMPED● DISA STIG creation through

~25 selectable “management functions”

● DoD specific values expressed in DoD Annexes to Protection Profiles(succeeding SRGs)

● Remember…■ RHEL5 STIG: 587 rules■ RHEL6 STIG: ~255■ RHEL.future STIG: est. < 100

OPEN SOURCE CONFRONTS THE C&A CHALLENGE:

SYSTEM COMPLIANCE

Community created portfolio of tools and contentto assess systems for known vulnerabilities.

https://github.com/OpenSCAP

2008 First commit to OpenSCAP,execution capability for SCAP on Linux

2011 First commit to SCAP Security Guide,hardening guidance + policy referencesColloquially, “SCAP Content”

DEMO #1: INSTALL, REVIEW PROFILES

Install OpenSCAP and SCAP Content$ sudo yum install openscap-scanner scap-security-guide

What default profiles exist?$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml….Profiles:

pci-dssrht-ccpcommonstig-rhel7-server-upstream

….

DEMO #2: REVIEW HARDENING GUIDES

Review manpage$ man scap-security-guide

Review HTML gudes$ ls -l /usr/share/doc/scap-security-guide/rhel7-guide.html

DEMO #3: LOCAL SCAN, REVIEW RESULTS

Perform 1st Scan$ sudo oscap xccdf eval --profile rht-ccp \--results /root/summit-results.html \--report /root/summit-report.xml \/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Review Results$ ${web_browser} /root/summit-results.html

DEMO #4: REMEDIATION

Generate remediation scripts from results$ sudo oscap xccdf generate fix \--result-id xccdf_org.open-scap_testresult_rht-ccp \/root/summit-results.xml

Or, remediate automatically (be careful - no “undo”!)$ sudo oscap xccdf eval --profile rht-ccp \--results /root/summit-results.xml \--report /root/summit-report.xml \--remediate \/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Download SCAP Workbench$ sudo yum -y install scap-workbench

Much of this demo is live. For extra details, https://open-scap.org

DEMO #5: SCAP WORKBENCH

Live Demo- RHEL 7.2 Anaconda

Plugin- Sample kickstarts @

https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/6/kickstart/

DEMO #6: “Easy Button Installs”

OpenSCAP IN ACTIONLockheed’s Use Case

Sarah StormsProject EngineerLockheed Martinsarah.b.storms@lmco.com

Joshua KoontzSystems EngineerLockheed Martinjoshua.koontz@lmco.com

WHAT WE DOThe Centralized Super Computer Facility (CSCF) is an ICD 503 certified, cross-domain

computing facility for U.S. Intelligence processing research and development.

ALGORITHM PROESSING

CROSS DOMAINDATA FUSION

MULTI-TENANTDATA STORAGE

VIRTUALIZATION

CSCF BACKSTORY● The CSCF program leverages MLS OS configurations for the last 20 years

○ Minimize hardware, licensing, OS configuration, manpower costs○ Maximize flexibility, data fusion, system utilization

● MLS requires a full ecosystem to be truly useful○ Certified products○ OS configuration○ Resource management○ Direct and Network attached storage○ Including long haul data sharing○ System Monitoring including audit reduction○ Databases

CONSUMER TO COLLABORATOR

100,000+PROJECTS PARTICIPATE

(upstream projects)

INTEGRATE(community platforms)

STABILIZE(supported products,platforms, solutions)

CSCF participates in community-powered upstream projects, such as OpenSCAP and SELinux.

CSCF collaborates with Red Hat to integrate upstream projects into open, enterprise platforms.

https://github.com/CSCF

Lockheed commercializes these platforms, together with an ISV ecosystem, and pushes security accreditations.

MLS ECOSYSTEMECOSYSTEM PARTNERS● LMC/CSCF● Red Hat● Altair● Seagate● Mellanox● ViON● Bay Microsystems● SGI● Cray● Splunk● Crunchy Data● UNLV/NSCEE

MLS Ecosystem Objective - Provide MLS capable versions of software capabilities integrated with the RHEL MLS configuration to solve complex system configuration and support problems

HARDENING: OLD METHODThe hardening shell script served several purposes in hardening the system:

● Distributes “baseline” system configurations and policies for authentication, auditing, accounts, services;

● Modular code in folders and separate script allowed for adoptation to meet changing system and security needs

CAT I

CAT II

NIST 800-53

NSA SNAC

./apply.sh

gen1000.shgen2000.shgen3000.shgen400.sh

gen1000.shgen2000.shgen3000.shgen400.sh

nist1000.shnist2000.shnist3000.shnist4000.sh

C&A TESTING: OLD METHODTechnical control testing is a subset of overall system controls

● SECSCN - Legacy system security scanner useful for DCID 6/3 testing. Isn’t flexible enough to test most of ICD503 technical controls

● Bash script to manually test each control - System testers required a bash script to manually test each system control not checked by SECSCN

● Interactive tests - Tests that couldn’t be automatically checked in a bash script or special test cases

Initially took 12+ months from paperwork submittal until initial approval

HARDENING: NEAR FUTURE METHODUse OSCAP Anaconda Addon to specify CSCF-MLS profile during system build. Then apply custom configurations

● CSCF’s SCAP profile distributes hardened system configurations and policies for authentication, auditing, accounts, services

● Apply custom configurations separately from security relevant changes

C&A: CURRENT & FUTURE METHODCurrent ( 90 days from submittal to approval ) :● SECSCN: still in use for familiarity● NESSUS: vulnerability scan● OpenSCAP: Configuration Compliance checklist● Small set of interactive checks

Future ( Targeting <30 days from submittal to approval ):● Drop SECSCN and NESSUS● Fully utilize Anaconda-SCAP to provision directly into secure configuration

….DRAMATICALLY SIMPLIFIED

CONTACT INFO

Shawn WellsDirector, Innovation Programsshawn@redhat.com

Jeff BlankTech Director, OS and Applications Division, NSA IADblank@eclipse.ncsc.mil

Sarah StormsProject Engineer, CSCF, Lockheed Martinsarah.b.storms@lmco.com

Josh KoontzSystems Engineer, CSCF, Lockheed Martinjoshua.koontz@lmco.com